(2 years, 6 months ago)
Westminster HallWestminster Hall is an alternative Chamber for MPs to hold debates, named after the adjoining Westminster Hall.
Each debate is chaired by an MP from the Panel of Chairs, rather than the Speaker or Deputy Speaker. A Government Minister will give the final speech, and no votes may be called on the debate topic.
This information is provided by Parallel Parliament and does not comprise part of the offical record
I beg to move,
That this House has considered the Computer Misuse Act 1990.
Before I begin, I draw Members’ attention to my entry in the Register of Members’ Financial Interests, and in particular to my stakeholding in a firm that has offered digital forensic services in the past, but which I understand does not plan to offer such services at least for the next three to five years.
It is a pleasure to serve with you in the Chair, Sir Mark. I am grateful to have secured this important debate of national security significance, especially considering this morning’s headlines about the potential spyware attack on No. 10. The need for this debate has become more urgent of late, especially considering the barbaric and unprovoked invasion of Ukraine, which has placed a spotlight on the pressing requirement to strengthen the UK’s cyber-security.
The UK Government have achieved a great deal in developing our cyber-capabilities, spearheading the creation of the National Cyber Force and putting aside a total of £2.6 billion for cyber and IT, which is a significant funding increase on previous years. I strongly welcome the Department for Digital, Culture, Media and Sport working more closely with cyber-security firms, through £850,000 of funding to support the establishment and activities of the UK Cyber Cluster Collaboration.
Given this Government’s strong record developing our cyber-capabilities, it is surprising that 32 years after its introduction as a private Member’s Bill, the Computer Misuse Act 1990 remains the primary piece of legislation covering cyber-crime in the UK. I am sure we all agree that the technological landscape has altered drastically over the last 30 years. Our existing legislation must urgently be updated to reflect those monumental changes. When the 1990 Act came into law, Margaret Thatcher was Prime Minister, the first website was yet to be published and I was just a toddler.
The CMA was brought into law to criminalise unauthorised access to computers. In other words, hacking without permission became illegal, irrespective of motive or intent. However, the CMA came into force before the modern cyber-security industry, which now employs more than 52,000 people across 1,800 firms. In 2022, the methods used by cyber criminals and cyber-security professionals are often very similar—sometimes the same. Individuals who work in cyber-security are frequently required to perform actions for which explicit authorisation is difficult, if not impossible, to obtain.
Contemporary defensive cyber research into computer system vulnerabilities and threat intelligence often involves the scanning and examination of compromised victims and criminal systems to lessen the impact of future attacks—pre-empting what such a hack might resemble to prevent its success. It strikes me as woefully naive to think that criminals will explicitly authorise access to their systems. To do so would be akin to a policeman asking permission to arrest an individual.
British cyber-security professionals are at risk of being taken to court for obtaining actionable intelligence, which means that as a country we are dissuading vital research from being conducted at a time when countries such as Russia and China are increasingly deploying hostile technologies against us and our allies. Consequently, even though the CMA has been amended several times since 1990, its major flaw is that it fails to allay fear of arrest and/or prosecution among cyber-security professionals as they carry out essential threat intelligence research against cyber criminals and agents of rogue states.
We find ourselves in a perverse situation where industry specialists who are acting in the public interest—often dealing with issues that are critical to our national security infrastructure—are at risk of being designated a criminal. Even with responsible policing, the CMA can still be used by non-state bodies to pursue individuals through the civil courts, causing considerable financial and emotional injury to well-intentioned professionals. If situations such as these remain possible, future generations of cyber professionals could be deterred from pursuing a highly rewarding career, precisely at a time when we should aspire for Britain to continue its reputation as a global cyber leader.
In urging for reform of the CMA, I have worked closely with the CyberUp campaign, which argues for updating the law and makes the case that failure to reform is holding back our cyber defences and preventing the upskilling of our workforce. In the “Time for reform?” report published by the CyberUp campaign and techUK in November 2020, analysis of a survey showed that the industry overwhelmingly suggested that the CMA was not fit for purpose. More than nine in 10 respondents said that they
“did not believe that the Computer Misuse Act represented a world leading example of 21st century cyber crime legislation.”
With Russia frequently targeting infrastructure through cyber-attacks, it is becoming increasingly urgent that we resolve the contradictions in the CMA. We need only look at the 2017 Russian state-sponsored NotPetya virus, which caused billions of pounds-worth of damage, to appreciate how devastating such attacks can be. At the epicentre of this digital hydrogen bomb in Ukraine, national transport infrastructure ground to a halt, people were unable to withdraw money from ATMs and even the radiation monitoring system at Chernobyl went offline. The current situation is an immense security risk.
The national cyber strategy, which was published in December 2021, sets out a commitment to improving our resilience to cyber-threats, but currently the strategy is clearly hamstrung because of the CMA. I have spoken to threat intelligence researchers from leading UK cyber-security companies, who have stated that they come up against CMA-related barriers three times a week on average. In those situations, researchers must seek guidance on whether they can investigate without breaching the provisions of the Act. In 80% of such cases, investigations cannot be undertaken. Where investigations can go forward, there is a significant benefit, with the average number of victims who can be identified, and thus warned and supported, varying between a handful and often up to hundreds per investigation.
We can extrapolate the figures to try to develop a national picture of what is going on. Using data obtained in the DCMS sectoral analysis 2022, the list of CREST threat intelligence providers and statistics from the DCMS cyber breaches survey 2021, we can surmise that the CMA is an active consideration in relation to at least a hundred, but potentially up to 3,000 investigations, each week across the UK in cyber-threat intelligence firms; that is, of course, assuming that all the other firms are similarly conscientious about staying on the right side of the law. That means that up to 2,400 investigations could be abandoned due to sensitivities around the CMA, which in turn could mean that up to 1 million victims remain unidentified and thus under threat from cyber criminals. Financially, it is estimated that the outdated CMA is costing our economy at least £30 million a week.
Our digital economy is being held back by a law that came into existence when less than half a percent of the population used the internet. We need to make the case that Britain, with its impressive track record in computing, networking and cyber, is a fantastic place to invest, create jobs and upskill our workforce. As it stands, we risk losing out to global competitors with more liberal legislative regulations, such as France, Israel and the United States.
What practical changes need to be made to the CMA for it to be well placed to rise to the challenges of 2022 and beyond? Industry representatives have directly conveyed to me a strong desire to see the inclusion of a statutory defence for cyber-security professionals who are acting in the public interest. Although I understand the need to ensure an effective balance between protecting legitimate cyber-activity and being able to prosecute genuine criminals effectively, one thing that struck me in my meetings with industry representatives was that even among those who felt relatively at ease about the prospect of prosecution, there remained a strong and genuine fear of arrest, which would involve the seizure of their work devices—the tools of their trade—and cause significant stress to individuals who are proud of their contributions to keeping Britain safe.
Currently, the only protections in the Act, beyond a few cases where a warrant is obtained, are extendable only to actions undertaken with explicit authorisation. Consequently, for the law to work for 21st-century Britain and its need to defend itself from cyber-attacks, reform should include a legal mechanism and clarify legal ambiguities in order to put professionals at ease.
I apologise for not being here at the very beginning. My hon. Friend is absolutely correct about a statutory defence, but I understand that that could be achieved without changing the current legislation, particularly if it were done in co-ordination with the Crown Prosecution Service.
It is important that we respond directly to the concerns of the cyber-security professionals; this is what they have asked for. Meaningful engagement with them will lead to a potential compromise. There is also a need to balance how we act against genuine cyber criminals, and I think that meaningful engagement and working with them will be the way to find that suitable compromise.
Updating the CMA has widespread cross-party support, with the all-party parliamentary internet group first calling for reform of the CMA in 2004—18 years ago. Since then, the Intelligence and Security Committee’s Russia report has recommended that the CMA should be updated in response to the heightened risk of malignant Russian cyber-activities.
Although cyber professionals across the country and I greatly appreciate the announcement by the Home Secretary last year of a review looking at the CMA, progress has seemingly been slow. Some 66% of respondents to the Government’s call for information had concerns over the existing legal protections of the CMA, so I hope that the Minister will update us as to whether the review is being expedited, especially considering that there has been an increase in hostile cyber-actions undertaken by rogue states and given this morning’s headlines on potential spyware attacks on No. 10. I would also be grateful if the Minister would meet myself and others from the campaign to discuss the matter further. I look forward to hearing contributions from hon. and right hon. Members.
It is a pleasure to speak in this debate, Sir Mark. I commend the hon. Member for Bridgend (Dr Wallis) for setting the scene so well. I look forward to contributions from others, especially the Minister. From previous experience of dealing with the Minister, and of partnership and co-operation with him, I believe that his answers will be helpful to us. Whether we are technically-minded or otherwise, we all recognise the key issues to which the hon. Member for Bridgend has referred. Why is this issue so important? It is because, as the hon. Gentleman has said, stakeholders have expressed deep and real concerns about the poor security of many devices. I will speak first about individuals and companies, and then probably take my arguments a wee bit beyond that.
Insecure devices can compromise privacy or be hijacked and used to disrupt other uses of the internet. That happens every day in my constituency and across the whole United Kingdom of Great Britain and Northern Ireland. The Government set in motion a strategy, which was first mooted in 2016, that set a date of 2021 for most online products and services to be cyber-secure by default. Will the Minister in his response tell us whether those targets have been met, and if they have not, when will that happen? DCMS has proposed a voluntary code of practice. I certainly would have liked to have had something mandatory in the system. Perhaps the Minister will indicate whether that is his and the Government’s intention.
I cannot profess to be technically-minded, but my staff are. They tell me that it is possible to access personal and confidential data, including on bank accounts, through our phones. That is why the debate is vital and why we need to seek from the Minister the reassurance that the protections that people need and want are in place. There is not a week in my constituency when people do not come to me about such issues. If someone phones an individual and talks about that individual’s bank account, it is not their bank. If someone phones and asks personal questions about confidential data, they are not legitimate.
In the recess, I watched a consumer programme which highlighted a scam that looked so convincing—what was happening looked absolutely correct to the untrained eye—but the experts looked into the issue and were able to help the person who was being scammed to thwart the scammer. As I have said, there is not a week when I do not hear about a scam. Usually, they are against elderly people, but also against others those who inadvertently give out details and lose their savings. Just a few months ago, a gentleman in my constituency was scammed. The appearance of legitimacy and truthfulness meant that he did not fear that it was a scam, but he lost £20,000, which has never been retrieved.
Cyber-attacks are one of the most common types of crime experienced by individuals in the UK. According to national crime statistics, some 2.4% of adults in 2017 and a higher percentage today will have experienced cyber-attacks, including on their personal computers, which is what this debate is about; I thank the hon. Member for Bridgend for setting the scene.
User behaviour is a factor in the poor cyber-security of consumer devices, whether by the individual or the system that they use. The 1990 Act needs to be reviewed to provide greater protection. Some user behaviours include using default, weak or reused passwords. What can we do? We need to establish good practice in the industry, improve the cyber-security of consumer products, adopt a vulnerability disclosure policy, make software updates available for stated lengths of time, and inform consumers on setting up, managing and improving the security of household connected devices, as in the DCMS’s own code of practice, which was published some time ago.
UK infrastructure must be protected. The Government have identified cyber as one of the top six tier 1 threats. Cyber-crime costs the UK some £1.27 billion per year, with about 60 high-level cyber-attacks a month, which indicates the magnitude of the problem. Many of the 60 high-level cyber-attacks a month threaten national security, which is also why this debate is important.
The hon. Member for Bridgend referred to Ukraine. Russia launched a cyber-attack on Ukraine’s electricity network back in 2015. Some quarter of a million people were impacted by that attack, which I think he also referred to. That example shows that even six or seven years ago, before the war, cyber was being used as an instrument of war by Russia, and indicates how much cyber-attacks can disrupt and compromise. Cyber-attacks are a method of warfare, which is why I support the hon. Gentleman’s call for legislative change.
I will make a plug, as I always try to do in these Westminster Hall debates. The Minister will be well aware that Belfast is a cyber-security stronghold and is very much at the forefront of cyber-security development. Belfast has become a capital of security. Any new cyber legislation must not prevent cyber-security experts from doing what they do best, which is finding the loopholes in programs.
Much consultation must take place to ensure that the Government do not tie the experts’ hands or throw the baby out with the bathwater. After all, the experts are combating criminal activity, and abuse and aggression from foreign powers such as Russia and China. Will the Minister confirm that any legislation that is proposed will entail working with companies—for example, cyber-security companies in Belfast and Northern Ireland—to enable their excellent progress to continue?
I fully support the motion tabled by the hon. Member for Bridgend. I look forward to hearing the contributions from the two Opposition spokespersons, and particularly to the Minister’s response. I hope that he can give us the reassurances we seek, so that we can continue to be at the forefront of cyber-security in Belfast, as we are throughout the whole of the United Kingdom.
I congratulate my hon. Friend the Member for Bridgend (Dr Wallis) on securing this debate. I myself put in for a debate on this issue a while ago, but the gods obviously smile more on Bridgend than they do on Boston. Nevertheless, I welcome this opportunity to debate the issue.
I thank the Minister and his officials for several meetings that he and I have had about this issue relatively recently. All were prompted, as my hon. Friend the Member for Bridgend said, by CyberUp and by Kat Sommer, who deserves to be cited in Hansard for her persistence, among many other things.
This is an important but technical issue. I will be honest and say that I am not completely certain that the Computer Misuse Act 1990 is broken, but I am certain that it can be improved, by one means or another. That is because, as my hon. Friend the Member for Bridgend said, the structure of the cyber-security industry has changed since the Act came into force, and is different from almost any other part of the national security set-up. If we were to ask whether academics have a right to interrogate systems for the purposes of research, we would definitely say yes. If we were to ask whether businesses have the right to interrogate those same systems, we would assume that it was for commercial purposes and that it was important to have different rules.
It is also a sector where a lot of very small-scale research is done by individuals—some of them literally in their bedrooms. There is a very diverse set of people looking for loopholes and vulnerabilities. Uncovering those vulnerabilities—be they in banks, businesses or any other area where we all rely on the internet—is categorically in the public interest, even if it may also be in the interests of businesses, researchers or people looking for bounties given by large businesses to uncover those vulnerabilities. Those businesses realise that it is in their interests to provide the maximum security to their customers or users.
That gets to the heart of why the Computer Misuse Act matters. On the one hand, it seeks to prevent hacking and other things that we do not want to see done by people with malign intent; but on the other hand, it risks fettering the ability of people with the public interest at heart to solve issues that we would all like to see solved. Admiring the problem is the easy bit; the hard bit is trying to work out what we should do about it.
There are a couple of things that we should not do. We should not introduce a blanket public interest defence for anyone who goes looking for things that might subsequently be perceived as a loophole or bug in a system. To do that would potentially give carte blanche to anyone who got caught, allowing them to claim that they were going to fess up about it, rather than benefit from it themselves. A public interest defence that goes too far should be avoided. I find it hard to imagine how a public interest defence might be constructed that does not, inadvertently or otherwise, go too far.
The other thing that we should not do—notwithstanding the figures that my hon. Friend the Member for Bridgend quoted—is assume that cyber firms of any sort should not be mindful of legislation such as the Computer Misuse Act. Of course, if someone is doing research they should consider what is legal. It is a good thing, not a bad thing, that it is a factor for consideration for those who are engaged in the cyber-security industry. We should be mindful of how we can fix the Act, rather than just sweep it away altogether. I come to a point that was made a moment ago; those issues can probably be addressed through enhanced guidance that provides a degree of legal comfort to the unsurprisingly risk-averse lawyers who work for cyber firms and others. Such guidance would not provide carte blanche to people who might have malevolent intent.
Criminals will not be looking at the CMA and wondering whether what they are doing is legal; by definition criminals are not bothered about whether they are breaking the law. However, there is an important grey area, and we should not create an unintended opportunity for people to defend themselves in court. I implore the Minister to continue his work on the review of the Act, which is really important, but with some minor legislative tweaking we could provide the comfort that the industry rightly asks for and could continue to secure the excellent reputation that Britain has and, as the hon. Member for Strangford said, that Belfast has, for being a world-leading cyber power. We can build on that success because the CMA is an example of a bit of legislation that, although very old, has largely stood the test of time for a lot longer than many might think.
I will close by simply saying that the principles embedded in the CMA are not bad ones. Whenever it comes to legislating for the internet, we should realise that the internet has not necessarily reinvented every single wheel, and principles that apply offline can be applied online. In this case, they need a little bit of updating, but I do not think we should throw the baby out with the bathwater, as the hon. Member for Strangford said.
I am absolutely delighted to speak in this extremely important debate—it is perhaps not pressingly urgent, but very important. I congratulate my hon. Friend the Member for Bridgend (Dr Wallis) on securing this debate and on his speech. I pay tribute to my hon. Friend the Member for Rushcliffe (Ruth Edwards), who wrote an excellent foreword in the report from CyberUp and techUK, “Time for Reform? Understanding the UK cyber security industry’s views of the Computer Misuse Act”. It is an excellent paper with sensible suggestions.
If I may say so, we are blessed to have this Security Minister here in his place. As far as I understand it, being Security Minister is not for someone who showboats or campaigns; it is for somebody who is extremely thoughtful and reliable and can really get to the heart of matters, so I am grateful that my right hon. Friend is the Minister replying today. He might not be able to respond to all the points today, but I know he will certainly think about them. I also pay tribute to my hon. Friend the Member for Boston and Skegness (Matt Warman), who showed his command of the subject.
I approach this debate with great humility, deeply aware of my own inadequacy at rising to the most difficult technical problems involved. I say that not because I do not know anything about the subject, but because I do. I have an MSc in computer science from Oxford, which I gained in 2000. I was once upon a time—at least, I think so—a reasonably competent Unix system administrator. I have done a network intrusion course as a software engineer, and I like to think that I might be considered as once being above average as a software engineer.
Having read books such as “The Art of Computer Programming” and Bruce Schneier’s book on cryp-tography—he is one of the world’s great experts—I am well aware that the subject of cyber-security is fabulously complex and difficult and not well understood. Without naming the organisation, I once went to a major public body to talk about cyber-security. It had put a large TV up on the wall and on it was a NORAD-style display of cyber-attacks going to and fro across the world, and there was a little software engineer’s rolling league table of which attacks were in progress. I asked what it all meant, and the public body did not know. It could not tell me what the attacks going to and fro meant, which put the meeting in context. So my first point is that no one following this debate or this subject should be under any illusion whatever about the complexity involved. It is a problem for the top 1% of software engineers—the sort of people who might be employed at GCHQ at the very cutting edge of understanding computers, how they work and how things can be dealt with.
Secondly, I think reform of the Computer Misuse Act would be a very good thing. My goodness!—what we have learned and how things have changed since that Act was put in place. Even since I joined Parliament in 2010, software engineering has changed tremendously. We all find that we go out of date very quickly, and the law has to keep pace with how things have changed.
The point was made earlier that some things that happen in the real world have parallels online. When I look at the range of things that software engineers have to do to counter network intrusion and cyber-attacks, at the moment we seem to be in a position akin to saying to a householder, “You may not defend against burglars,” or to someone attacked in the street, “You may not commit acts of self-defence.” That parallel might be flawed, but we have to look extremely carefully at whether software engineers and other professionals are adequately defended in law, so that they can do what is necessary to defend against criminal attack. That is what we are talking about.
The paper from CyberUp and techUK is excellent. I read it only over the weekend, but it all seems to be very sensible and well thought through, and I certainly commend it to the Minister and his officials. They should have a really good look at it to see whether the case has been made, in particular for a statutory defence for professionals in the field, making sure that we have taken into account everything we now know about cyber-security.
I am not actually in favour of an official register of professionals, which is recommended in the paper. There are two reasons for that. First, insert here all the arguments about the state running registers of professionals—the anti-competitive practice it can encourage and so on—which do not need rehearsing. It would also become something of a honeypot for criminals. If we were to create a privileged list of registered actors who are, in some sense, allowed or better facilitated to conduct cyber-security operations, for want of a better term, that would create an enormous incentive for criminals to get their people on that list, or to corrupt individuals on the list in order to get what they want from them. I remain opposed to having a state-sponsored list of professionals with some kind of privilege to conduct these operations, outside of employees of the state themselves—obviously, we employ people to do this sort of thing. I think that would be a mistake.
Those are the three points that I wanted to make. First, we need humility as we approach these things. This issue is not susceptible to loose pub chat; it needs real expertise. Secondly, reform of the CMA seems to me to be a jolly good idea. Thirdly, there should be no official register. Once again, thank you very much, Sir Mark. I am really looking forward to hearing the response of my right hon. Friend the Minister.
I thank my hon. Friend the Member for Bridgend (Dr Wallis) for securing this debate. Once upon a time I also applied for it, so I am glad that one of us got through the lottery.
I am the chair of the all-party parliamentary group on cyber security, and this is an issue that we have looked at time and again. We have looked at specific reform of the CMA, and frankly, with almost any issue we concentrate on, we keep coming back to the challenges that the CMA brings up for professionals. As others have done, I thank CyberUp for the support it has given, both to the APPG and in advance of this debate. When reforms are made to the CMA, it will be due in no small part to the advocacy that CyberUp and industry have put behind this.
My view is that the CMA is holding the UK back and making us less secure. It needs reform, and the urgency is very keenly felt in the industry. It is frankly ridiculous that we are reliant on a piece of legislation that came into force at the time of Windows 3.0, before Google and Amazon, and crucially before the internet had come into common use.
In the last meeting of the APPG on cyber security we had Ciaran Martin, the former head of the National Cyber Security Centre, before us, and we asked his view. It is hard to articulate how much he rolled his eyes when I asked the question, but clearly the view of those who operate in this space is that the time for change is now.
As it is currently written—I apologise, Sir Mark, for going over some of the same ground—the CMA inadvertently criminalises a large proportion of vulnerability and threat intelligence research that UK cyber-security professionals must carry out to protect the UK from cyber-threats such as the one affecting No. 10 that is in the news today, ransomware attacks and those from state actors such as Russia.
Let us be clear: the legal jeopardy that cyber-security professionals face is not theoretical but very real. We have heard from professionals who have been at the sharp end of the law for merely doing their jobs—probing weaknesses in order to fix them. At a time when the world has never been more connected, and there is inter-reliance between news, messaging, shopping, banking, security and leisure—the web of systems that hold modern society together—we need to ensure that the laws are fit for purpose and fulfil the roles they were enacted to achieve. I firmly believe that this one does not and we are the poorer for it.
It is worth spending a little time putting this in context and detailing the main challenges of an unreformed CMA. Cyber-security professionals identify vulnerabilities in products and services and work with manufacturers and vendors to fix them. They detect cyber-attacks, gain insights into attackers and victims, lessen the impact of incidents and prevent future ones. The Government’s “National Cyber Strategy 2022” recognised the value of that important work. It committed to building valuable and trusted relationships with the cyber-security researcher community to deliver a reduction in those vulnerabilities. But the CMA is currently a block to that, irrespective of the intent or motive of those doing the work. That leaves the UK’s cyber defenders having to act with one hand tied behind their back, because much of their defensive work requires interaction with compromised victims’ and criminals’ computer systems where owners will not give access or explicitly permit such activities.
Another aspect is that the Act is having a really damaging impact on the cyber-skills pipeline. In 2018, the Joint Committee on the National Security Strategy concluded that a shortage of “deep technical expertise” was one of the greatest challenges faced by the UK in relation to cyber-security. This year’s national cyber-security strategy made explicit the need to grow and improve sectoral skills in order to build UK resilience to threats. But we should be clear about the chilling effect that the CMA is having on doing that and the challenges that it throws up. The sector needs a diverse range of minds in order to continue to grow and to adapt to a changing environment. High-profile prosecutions enabled by the CMA for little more than pursuing public interest investigations reinforce negative stereotypes that may deter some from pursuing a career in cyber-security. If the UK is to meet the challenge of closing the cyber skills gap, it needs to stop criminalising the activity, and ultimately talent, that is needed to promote the industry and grow its share of the global cyber-security services market, which is currently dominated by North America. That will not only grow cyber skills in our own economy, but help to build cyber resilience and better defend the UK.
As my hon. Friend the Member for Bridgend pointed out, there are relatively simple tweaks that we think could be made to this legislation that would make a big difference in this space. They would unlock huge opportunities for the sector and our national resilience. As has been mentioned, the inclusion in the CMA of a statutory defence, not a blanket one—I think my hon. Friend the Member for Boston and Skegness (Matt Warman) was absolutely right on that—would give cyber-security professionals acting in the public interest a clear defence from prosecution. That would provide legal clarity for individuals, the industry and the state. We can learn much from our international partners in this space about how to achieve a fair balance and enact safeguards to ensure that new freedoms are not abused by those who are not on the side of the angels. I am talking about a clear framework that measures the defensibility of an action, proportionality, intent and competence and looks at a harm-benefit profile. They are the sorts of principles that we should be considering when looking at reform.
It seems bizarre that as we launch the National Cyber Force in Lancashire and as my local town deal brings a university campus focused on cyber-security in Barrow, the legal framework that will enable these people to do their jobs and practise their craft is lagging behind. It is clear from the national cyber-security strategy that, as a country and a Government, we do not lack aspiration in this space, and that is a really good thing. It is the burden of advanced nations to have to defend these new frontiers, but we must ensure that the framework is in place to support our good efforts and deliver on the opportunities that the strategy speaks about. A very good step would be reforming this Act and ensuring that those acting in the public interest have protection from unjust litigation. Doing that would make us all safer.
While we are on the subject of the new cyber-security centre, I too am very pleased that it is coming to Lancashire; it is next door to my constituency. Like Mr Baker, I am proud to have studied computer science at master’s level—in my case at the University of Manchester—so I am very pleased with the developments and the way that things are going forward. We will hear from the Front Benchers now.
It is a pleasure to see you in the Chair, Sir Mark. We do not always have such a knowledgeable Chair in relation to such technical matters.
Indeed.
I thank the hon. Member for Bridgend (Dr Wallis) for securing the debate and for his expert introduction of the topic. He rightly highlighted events in Ukraine, and, indeed, today’s reports of attacks on No. 10 as providing a stark backdrop to this discussion. He and all hon. Members made a strong case for revisiting and revising the 1990 Act.
The point I agree with most fundamentally was made by the hon. Member for Wycombe (Mr Baker), who highlighted the complexity of these issues. I feel rather underqualified at the moment, particularly given the CVs on display today. Nevertheless, I approach this topic with an open mind and am open to persuasion by the experts. I welcome the Home Office’s call for information last year. The recent cyber strategy hints at this legislation being looked at again. If the Government proceed with reforms, the Minister will have our support and we will play as constructive a part as we can to ensure that they are the right ones.
As we heard, the 1990 Act was pretty much rushed into effect via a private Member’s Bill when it seemed to be established that hacking—shoulder surfing in one particular case—was not against the law. Obviously, that had to change, so the legislation put criminal offences on the statute book for unauthorised access, unauthorised access with intent to commit other crimes and unauthorised modification of computer material, but things have changed significantly since then. The hon. Member for Bridgend said he was a toddler back when the legislation was passed. I certainly was not; I would have been sitting, as a teenager, with my BBC Micro computer taking 20 minutes to load “Football Manager”. He is right to point out that, back then, a tiny percentage of the population had access to computers. The internet was something for the future. Technology has changed in unbelievable ways, with computer use now absolutely ubiquitous. People are also using a large number of smart internet-connected devices. That all radically alters the threat landscape from when the legislation came into force.
As the Act explicitly mentions computers and not other internet of things devices that can connect to the internet and be hacked, things such as smart fridges or nanny cams must be argued to be computers to fall under scope of the legislation. We had reference to the submission by the NCA to the House of Commons Russia inquiry, highlighting the widespread use of mobile phones as a reason for urgently updating and reforming the CMA. The legislation does not appear to be effective: one report I read recently suggested that less than 1% of reports of hacking led to prosecutions. There are issues about whether it even works in bringing criminals into the court system for justice.
It is right to acknowledge that it is not the case that the Act has not been updated at all. Changes have been made: punishments have increased and, significantly, the offences of impairing the use of a computer and provision of articles to facilitate misuse have been added. The Government have also started to address the problem of securing smart devices through the Product Security and Telecoms Infrastructure Bill 2022, but revisiting and broadening the scope of the CMA would improve on that and complete the move to address the internet of things security dilemma.
Perhaps a more pressing issue, which Members have rightly focused on, is that the Act does not attempt to differentiate between the motives of hackers: malign cyber criminals who intend to exploit or harm other users or their systems are treated the same as those identifying weaknesses and flagging them up for altruistic reasons. Often, ethical hackers test a company’s systems accurately by using the tools that hackers themselves would use. Those concerns have led to the CyberUp campaign and the idea of a statute of defence to protect cyber researchers identifying vulnerabilities in computer systems and company networks not to exploit them but to help fix them. I pay tribute to that campaign for helping me try to understand what this is about.
As the hon. Member for Barrow and Furness (Simon Fell) put it, all this is holding us back. While US IT security companies can offer whole-of-supply-chain vulnerability scanning to identify weaknesses that could compromise systems, UK companies cannot offer those services for fear of prosecution under the CMA. He pointed out that that has a knock-on effect on our ability to grow our expertise and talent base. If those working legitimately to uncover vulnerabilities or using hacking tools to simulate attacks are left at risk of prosecution for doing their jobs, that leaves companies, organisations and our key infrastructure more vulnerable to attack.
Adding a defence to the Act seems a sensible way to proceed. I accept that the scope of any such defence has to be judged carefully. This is not a straightforward. The hon. Member for Boston and Skegness (Matt Warman) was right to raise the difficulties. While a defence should protect those engaging in legitimate vulnerability scanning or ethical hacking, the defence must be defined in a way that does not encourage vigilante activity or any sort of free-for-all. He suggested as an alternative the idea of using guidance. I must say that, as a lawyer, I slightly shy away from using guidance when the alternative is to put something on the face of a Bill; from a rule of law perspective, that is always more desirable but, again, it is something that I am open to persuasion on.
All these concerns have been recognised by the CyberUp campaign through inclusion in its proposals for various tests, including a competency element, to ensure that only a person engaged in activities covered by the Act who is competent to do so and who has good intent is protected. While it is complicated, I believe that it can be done and should be done.
I finish by again welcoming the debate and the chance to put on record our support for reviewing, revising and updating the 1990 legislation. As I said, we will work constructively on any proposals to do that.
As always, it is a pleasure to serve under your chairmanship, Sir Mark. As others have done, I will start by paying tribute to and thanking the hon. Member for Bridgend (Dr Wallis) for securing today’s important debate and for his ongoing and important role in highlighting some of the issues in this policy space.
Like others, I will start with some humility about the limits of my technical capabilities in this space, while very much recognising that the comments of those who have some background in it have been particularly insightful —I include your comments in that, Sir Mark.
We often describe debates in Westminster Hall as timely, but as the UK faces a threat unlike any other in recent history, and just one day after reports broke that Downing Street itself may have been may have been targeted using Pegasus hacking software, which can turn smartphones into remote listening devices, a renewed focus on the Computer Misuse Act could not be more urgent.
As others have mentioned, the 1990 Act was the first major legislative attempt to tackle cyber-crime and criminalise hacking. The Act strengthened the protection of personal data held by organisations by making it a crime for individuals to gain unauthorised access to that data or to modify it without the necessary permission. Undoubtedly, it was a significant landmark, but given the rate and complexity of technological advance, the Act is long overdue for reform. While it has been amended by more recent legislation, at 30 years old, its contemporary relevance continues to wane.
This policy area moves at such a pace that legislation could be rendered out of date in the time between a new law being drafted and securing Royal Assent, so laws governing this space would require almost constant consideration and review. That is where the statutory guidance plays an important role, as some areas of this must be particularly dynamic. However, with the Act at 30-plus, and without a significant overhaul, we are now woefully ill-equipped as a country to ensure that we are meeting as robustly as is required the cyber challenges that we face.
In 2020, an estimated 99.99% of total cyber-crime and roughly 99% of reported computer misuse offences went unpunished. That is despite the fact that we know that cyber-crime is significantly under-reported. Coupled with that, there were only 45 prosecutions in 2020 for computer misuse offences. In total, there were 43 convictions, with the average custodial sentence being 15.7 months, and the average fine just £1,203. While there are several reasons for low prosecution rates for cyber-crime—such as jurisdiction, with a great deal of this type of crime being committed abroad—the CMA, with its confusing framework and ambiguous, outdated terminology, presents a further challenge.
I recently met the CyberUp organisation—others have already paid tribute to its work—which was set up in 2020 to campaign for reform of the CMA. It is a broad coalition of supportive bodies from within the cyber-security industry, including the larger cyber consultancies and the cyber industry trade body, techUK, and has the backing of the Confederation of British Industry. Others have cited similar arguments, such as the Criminal Law Reform Now Network, which was launched in 2007 and comprises leading academics, practitioners and legal experts in the field. In its 2020 report, it concluded that the CMA is “crying out for reform”.
Speaking last year at the National Cyber Security Centre, the Home Secretary announced a welcome formal review of the CMA. The result of the call for information was clear, with 66% of respondents saying that they had concerns over the current protections in the Act for legitimate cyber-activity. I understand that the outcome of the review is expected to be published early this summer, so as with others who have spoken today my first question is, can the Minister confirm when we can expect the next step of that review? I would be grateful if he could update Members about that. Given that there is no reference to reform of the CMA in the Government’s new national cyber strategy, which was published late last year, many people hope that the review will comprehensively address the areas discussed today and provide a clear position on how we move forward.
As the hon. Member for Bridgend has mentioned, reviewing the CMA in the light of Russia’s abhorrent invasion of Ukraine is of even greater importance in order to ensure that our cyber-defence is fit for purpose. As outlined in the 2020 Russia report conducted by the Intelligence and Security Committee,
“Russia’s cyber capability, when combined with its willingness to deploy it in a malicious capacity, is a matter of grave concern, and poses an immediate and urgent threat to our national security.”
During evidence provided to the Committee, the NCA explained:
“The Computer Misuse Act…is very outdated legislation. It was designed for a time when we all didn’t carry six phones and computers and let alone have criminals who do the same.”
It would therefore seem more than sensible for the Government to accept the report’s recommendation that the CMA
“should be updated to reflect modern use of personal electronic devices”,
alongside the report’s other recommendations.
A Government report published just last month and conducted by the UK, the US and other allies exposed the historic malign cyber-activity of Russia’s Federal Security Service, including a long list of cyber-operations targeting the UK energy sector, US aviation and a Russian dissident in the UK, who was targeted using sophisticated hacking and spear phishing. Given the historic and increased cyber-threat level, we must consider the concerns of cyber-security professionals who make a strong case that the CMA, in its current form, prevents them from being able to robustly test security systems using some of the most effective methods available to them.
Last month, the former chief executive officer of the UK National Cyber Security Centre warned that our current system
“lacks nuance in protecting people who inevitably have to look into bad things to protect against them.”
That argument is further supported by the recent findings of a survey conducted by CyberUp and techUK, which found that 93% of cyber-security professionals believe that
“the Computer Misuse Act did not represent a piece of legislation that was fit for this century”
and 91% of cyber-security businesses felt that
“they had been put at a competitive disadvantage relative to other countries with better legal regimes.”
If we do not have a system that our security professionals have confidence in, we do not allow them to robustly defend our security to the best of their abilities.
Having discussed the necessary reasons for reform, it is important to consider what legislative reform would look like and the possible alternatives available to us. One reform, advocated by CyberUp and the Criminal Law Reform Now Network, would introduce a statutory defence to the CMA, using a principles-based framework that would allow cyber-security professionals to defend activities performed in the public interest. I recognise the diverse purposes for interrogating cyber-security, which were raised by the hon. Member for Boston and Skegness (Matt Warman), and the requirement to ensure that we find the balance in introducing a defence. When an individual is able to demonstrate clearly that they acted to prevent crime or to protect a system or that no personal profit or gains were made, it would seem reasonable and appropriate for that to be recognised in new legislation.
If I have understood the French approach correctly, article 40 of the criminal procedure code allows for a person who is acting in good faith and who acts solely in the national interest by notifying the appropriate body about an existing vulnerability related to the relevant system. That may be a comparison we can look at in order to see how we can best update our legislation.
If we are to ensure that we can protect ourselves from evolving cyber-threats, such as those revealed at the very heart of Government today, the Computer Misuse Act must be reformed as a priority to acknowledge the changes in our technological landscape. When the CMA was drafted, the majority of people did not even have access to a computer, but now we all carry that capacity with us in our pockets. Times have changed, and so must the legislation.
I would be grateful for an outline of the Government’s response to the revelations of spyware in Downing Street, and for confirmation that a comprehensive and urgent investigation is under way, as well as for an update on whether any upcoming legislation on countering hostile state actors will operate in this online space and when we might see more detail about those proposals.
Being able to combat threats from hostile cyber-actors in the current geopolitical environment is an essential requirement, and it is our role as legislators to ensure that that is possible. We need the very brightest and best working in the UK cyber-security space; those professionals must have the ability to do their jobs as well as they can if they are to deliver the protections that our country urgently needs.
It is a pleasure to serve under your expert chairmanship, Sir Mark. I thank my hon. Friend the Member for Bridgend (Dr Wallis) for securing today’s debate and bringing this important issue to Westminster Hall. I am also grateful to all colleagues who have taken part. It strikes me that this is a good example of bringing to bear on Parliament not just opinions or political points but real depths of expertise from the outside world. I think it has been a very good debate.
I thank the SNP spokesman, the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald), and the Opposition spokesperson, the hon. Member for Halifax (Holly Lynch), for the constructive way that they engaged with the important discussion. I reassure everybody that it will feed into the review, which I will come back to later. I confirm to my hon. Friend the Member for Bridgend that I would be pleased to meet with him and a group of colleagues to discuss the issue further—I look forward to it.
As the Minister for Security and Borders, I am keenly aware of the scale of the cyber-crime threat facing our citizens and businesses. Keeping them safe is a key priority for the Government and our operational agencies and I take this opportunity to thank all those who work tirelessly to protect the public.
The threat from cyber-crime has intensified over the last couple of years. As the hon. Member for Halifax said, the pandemic meant that even more of our lives were spent online, and, inevitably, criminals have sought to exploit that shift. The statistics bear out the scale of the threat, with computer misuse now accounting for an estimated 15% of all crime. That opportunism is despicable and underlines how crucial it is that we have a robust and effective response. The Computer Misuse Act is primarily about hacking into someone else’s computer, but clearly there are more crimes that involve misusing computers for criminal means—most fraud, for example. Later today we have the Second Reading of the Online Safety Bill, which is an ambitious and forward-looking piece of legislation that will tackle online harms around fraud and fraudulent advertising.
I turn to some of the points made by the hon. Member for Strangford (Jim Shannon) about protecting individuals and small businesses. I reassure him that comprehensive advice is available from Cyber Aware. We encourage everybody to act on that, starting with three key things: protecting email security with a password made up of three random words; using two-factor authentication where that is available; and keeping operating systems up to date—often when an update comes around it is to see off some weakness that has been found.
I want to note important steps taken by industry that can make what hacking yields of less utility—things such as the banking sector’s deployment of the confirmation of payee system. We have sector charters in place with key industries, including retail banking. While Northern Ireland has a different policing arrangement, in this part of the UK we have the regional and national cyber-resilience centres, supported by policing, to help give extra support and guidance to small businesses that may have less wherewithal to invest in cyber-security expertise.
I also want to respond to my hon. Friend the Member for Barrow and Furness (Simon Fell) about skills; he is absolutely right that although the issue is about machines, it is ultimately about people. It is people who improve our defences. There are key pathways and standards in the Institute for Apprenticeships and Technical Education system, including under the cyber-security technologist umbrella and more broadly with the introduction of T-levels. Indeed, the critical T-level is digital business services, which includes a minimum of nine weeks of industry placement. I strongly encourage firms operating in the area—in cyber-security and in-house digital technology—to support that to make sure we all work together to bring on that next generation of experts who will help keep us all safer.
The Minister has prompted me to recommend a book called “Peopleware”. It is a classic in software engineering and is all about people and how they develop software. One of its points is the orders of magnitude difference between different categories of competence in software engineering. It raises some interesting issues that I am sure he and his officials would find helpful.
I am grateful to my hon. Friend. I shall add that to my bedtime reading list, which is not uncrowded at present. I will look forward to getting to that.
In the last year, we saw a number of high-profile ransomware attacks around the world, including attacks on local authorities and schools in the UK. The National Cyber Security Centre has reported that in just the first four months of 2021, it handled the same number of ransomware incidents as for the whole of 2020. The National Cyber Security Centre has improved our understanding of the threat and provides a unified source of advice and support to Government and business.
I am afraid that the threat posed by cyber-attacks continues to grow in scale and complexity. That is why the national cyber strategy, mentioned by a number of colleagues and published in December, sets out how the Government will invest £2.6 billion over the next three years to develop a whole-of-society approach to increasing national cyber-security and resilience, including reducing the risk and opportunity for cyber-crimes and disrupting cyber-criminals. As part of that funding, we will continue to invest in the law enforcement cyber-crime network at national, regional and local level. In the face of such a broad and complex threat picture, law enforcement agencies must have the powers they need to investigate online criminality. It is also essential that we have robust legislation in place to enable action to be taken against the perpetrators.
My hon. Friend the Member for Wycombe (Mr Baker) was right about how much has changed since 1990, and my hon. Friend the Member for Barrow and Furness pointed out that the world is more interconnected than ever. Next year, it will be even more interconnected again. All that is correct and we must make sure we are up to date and up to pace. However, as my hon. Friend the Member for Boston and Skegness (Matt Warman) pointed out, it is also the case that over the last 30 years, the Computer Misuse Act has generally proven to be a far-sighted piece of legislation for tackling unauthorised access to systems. As the threat has changed, so too has the Act, which has been updated a number of times—most recently in 2015, where the offence of unauthorised acts causing, or creating risk of, serious damage was introduced.
We are firmly and fully committed to ensuring the legislative framework that underpins our efforts to address cyber-crime remains relevant and effective. That is why last May the Home Secretary announced a review of the Computer Misuse Act. The Home Office subsequently launched a call for information, which marked the first step in that process. The purpose of the call for information was to seek views of interested stakeholders across the piece, including in industry, academia and the agencies, on the Act and the associated investigative powers available to law enforcement. The Home Office has received responses covering a range of interesting and complex issues and we are grateful to those who have sent in their views. We are considering the feedback submitted and continue to engage with partners to determine whether changes are needed. We will provide an update on the initial findings of the review shortly.
I want to touch on a couple of key points directly relating to the Act that will influence the approach we take on defences. First, the Act is based on the principle that the owner of the computer and computer data has the right to say who can access it. I want to stress that point, which was made repeatedly during the development of the Act. Authorisation to access a system is the prerogative of the owner. It is that person who is responsible for the operation of the system and bears the cost of securing it.
Equally, the Government are rightly seeking to ensure that system owners take more responsibility for the security of their systems and the content held on them. Therefore it is right that the system owner has the protection of the law from those who obtain or attempt to obtain unauthorised access to computers and their data. We encourage firms to agree to having their systems tested for vulnerabilities by third parties but the fundamental point is that it is the choice of the legal property owner to determine that.
Secondly, we need to ensure that the Act continues to criminalise those who take unauthorised action against computer systems and provides the legal basis for relevant legal authorities to act.
In launching the review, we have been clear that we are open to changes to the Act that enhance our approach to that threat. However, I must also emphasise that any such changes should be well-considered and well-evidenced. We must guard against taking any action that would undermine the ability of law enforcement agencies and prosecutors to investigate criminals and prosecute them.
I have heard the views of Members on defences. My hon. Friend the Member for Boston and Skegness identified the nuance very well, as my hon. Friend the Member for Wycombe did the nuance of the registration of industry professionals. We are still considering the question of defences, but I am sure that Members would agree with me that we cannot put in place measures that would act as a mechanism for criminals and state actors to hide behind. That is why we need to tread cautiously. An ill-conceived defence could leave prosecutors with the burden of trying to prove a negative, for example, in needing to prove that cyber-attacker X was not, in fact, intending to protect a computer system when they attempted to access it without permission.
It is also worth pointing out that there are already defences in the Act that apply to cyber-security activity. If a person has the authorisation of the system owner to access the system, no offence is committed. In addition, any decision on prosecution is a matter for independent law enforcement and prosecuting agencies who take into account all relevant facts of the case. We must also ensure that any changes to the Act do not permit or encourage retaliatory cyber-activity, sometimes known as “hack back”. There is a danger that such a defence could embolden so-called hacktivists, or commercial entities who wish to offer such services, if they believe their actions could be protected under the law. The UK does not condone unlawful cyber-attacks of any kind.
Some responses to the call for information set out proposals for a review of sentences, and we have also had suggestions for new powers for law enforcement agencies to take action against criminals online. We are considering them as part of the review, including whether sentencing guidelines are needed to ensure that the harms caused by those committing Computer Misuse Act offences are appropriately considered during sentencing.
The hon. Member for Halifax asked a direct question and yes, state threats in this area are absolutely a prevalent and growing issue. I know she would not expect me to give a commentary on a specific security matter, but I want to reassure her and the House that the Government take extremely seriously the question about state capability in this area.
There is absolutely no doubt that the UK needs a Computer Misuse Act that is fit for purpose and can rise to the challenges of the present day. As colleagues know, the Home Office is engaged in a review that is charged specifically with ensuring exactly that.
The context of the war in Ukraine makes that work more important than ever, as the shadow Minister said quite rightly. I am acutely conscious of that, but we cannot rush this. That would only serve to help our adversaries. We are, therefore, approaching the exercise with the careful consideration that the public would expect and which these sometimes complex issues demand. Through the review, and as part of business as usual, we are listening attentively to law enforcement agencies and National Cyber Security Centre experts on what is most likely to enhance our national cybersecurity. Of course, we are also studying the approaches of other countries.
I thank my hon. Friend the Member for Bridgend for securing the debate, which has been interesting and insightful. I am grateful to have had the opportunity to outline our activity in the space and, as I said at the start of my remarks, I look forward to meeting my hon. Friend and colleagues to discuss it further.
I begin my closing remarks by extending my thanks to you, Sir Mark, for being in the Chair, and to all right hon. and hon. Members for their insightful contributions to this timely debate. It is wonderful to see such cross-party engagement on this issue of significance for our national security, and I am pleased about how Members have contributed to a very good debate.
I thank my hon. Friend the Member for Wycombe (Mr Baker) for raising an important point about humility. He and I both know that expertise a few short years ago probably means a lack of it today—I can certainly attest to that. His comments about the register of professionals were certainly also cause for thought.
I thank my hon. Friend the Member for Boston and Skegness (Matt Warman) for raising points about statutory defence. I think we can get the best of both worlds: it is possible, on our side, to give the reassurances that security professionals want without necessarily legalising what is obviously criminal activity.
I thank the SNP spokesperson, the hon. Member for Cumbernauld, Kilsyth and Kirkintilloch East (Stuart C. McDonald). When he spoke about smart fridges, he touched on something that I forgot to mention in my speech: however much we think the technological landscape has changed, even more is coming. It was not that long ago that the internet of things was just an idea, and now it is on its way. Everything will have a SIM card and everything will be connected to the internet. Driverless cars, drone deliveries and all those things are coming—they are not pipe dreams; they are currently being developed by someone, somewhere.
I also thank the chair of the all-party parliamentary group on cyber security, my hon. Friend the Member for Barrow and Furness (Simon Fell), for his concise and eloquent summary of the case for reform, and the shadow Minister, the hon. Member for Halifax (Holly Lynch), for introducing comparisons with how other countries have done—she mentioned France—which was very useful.
I thank my right hon. Friend the Minister for his attendance and for his carefully considered response to the points that were raised. I am grateful for his offer to make time available to meet us so that we can begin the important work of well-considered and careful reform.
Question put and agreed to.
Resolved,
That this House has considered the Computer Misuse Act 1990.